All Apps and Add-ons

Not receiving any logs from Okta

roberteves
Explorer

I've installed the Okta Identity Cloud Add-on for Splunk. There was an attempt to configure it a while ago but wasn't tested much. When looking at it again I noticed that there was a 401 Unauthorized error when trying to make the API request. I had the admin create a new token and I configured the token and input in the app. I don't see any errors in the logs, in the app log it does show the message "No logs returned". I know there were both failed and successful attempts to log in to that Okta. Is there anything else I can check on the Splunk or Okta side?

 

 

 

 

2021-04-02 14:44:05,498 INFO pid=7784 tid=MainThread file=splunk_rest_client.py:_request_handler:105 | Use HTTP connection pooling
2021-04-02 14:44:05,541 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: log_limit
2021-04-02 14:44:05,569 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: log_limit
2021-04-02 14:44:05,582 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_collectLogs sees an existing next link value of: https://[redacted].oktapreview.com/api/v1/logs, picking up from there
2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: max_log_batch
2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: skip_empty_pages
2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: http_request_timeout
2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: allow_proxy
2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: bypass_verify_ssl_certs
2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: custom_ca_cert_bundle_path
2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=setup_util.py:log_info:117 | Customized key can not be found
2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | Use of the proxy has been enabled through explicit definition of allow_proxy
2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled!
2021-04-02 14:44:05,821 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_okta_caller n_val does not match our valid pattern with 0 results, store the current URL: https://[redacted].oktapreview.com/api/v1/logs
2021-04-02 14:44:05,822 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_okta_caller we will now stash n_val with: https://[redacted].oktapreview.com/api/v1/logs
2021-04-02 14:44:05,842 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=Zero logs returned

 

 

 

 

Labels (1)
0 Karma

ttovarzoll
Path Finder

Did you recreate the Input(s) in the Okta TA? It's simple enough to configure, I would do that just to ensure there wasn't something borked in the original Input, i.e., after the original token failed.

Also, for what user-account is the new token? Currently, I'm using my own admin-equiv Okta user but I'm trying to recreate it with a 'service-account' with only the required log-access permissions. The "no logs found" might be a misleading error if the token is for a user without log-access?

0 Karma

thambisetty
Super Champion
2021-04-02 14:44:05,821 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_okta_caller n_val does not match our valid pattern with 0 results, store the current URL: https://[redacted].oktapreview.com/api/v1/logs
————————————
If this helps, give a like below.
0 Karma

roberteves
Explorer

Do you know what that means? Is it some configuration for logging on the server side or in the Okta app on the Splunk server?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!